Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

28.
Don’t use the admin account
UPDATE wp_users SET user_login='newuser' WHERE user_login='admin';
If you are using the admin account you are wrong!
Either change the username in MySQL:
Or create a new/unique account with administrator privileges.
1.Create a new account. Make the username very unique
2.Assign account to Administrator role
3.Log out and log back in with new account
4.Delete admin account
Make it hard on the hacker! If they already know your username that’s half the battle

29.
Don’t use the admin account
WordPress 3.0 lets you set
the administrator username
during the installation
process!

30.
The Great Permission Debate
What folder permissions should you use?
Good Rule of Thumb:
• Files should be set to 644
• Folders should be set to 755
Start with the default settings above
if you can’t upload increase privileges (ie 775, 777)
Permission levels vary depending on server configuration

32.
Move the wp-config.php file
WordPress 2.6 added the ability to move the wp-config.php
file one directory above your WordPress root
This makes it nearly impossible for anyone to access your wp-config.php
file as it now resides outside of your website’s root directory
You can move your wp-config.php file to here
WordPress automatically checks the parent directory if a
wp-config.php file is not found in your root directory
public_html/wordpress/wp-config.php
If WordPress is located here:
public_html/wp-config.php

34.
Remove WordPress Version from Header
Viewing source on most WP sites will reveal the version they are running
This helps hackers find vulnerable WP blogs running older versions
<meta name="generator" content="WordPress 2.9.2" /> <!-- leave this for stats -->
To remove find the code below in your header.php file of your theme and remove it
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
<!-- leave this for stats please -->
Themes and plugins might also display
versions in your header.
The wp_head function also includes the WP version in your header
To remove drop this line of code in your themes functions.php file
remove_action('wp_head', 'wp_generator');

35.
Stay Current on Updates
Keep WordPress core, plugins, and theme files up to date
The plugin Changelog tab
makes it very easy to view
what has changed in a new
plugin version
Recent WordPress hack only affected outdated WordPress installs

36.
Use Secure Passwords
Use strong passwords to protect your website from dictionary attacks
Not just for WordPress, but also FTP, MySQL, etc
BAD PASSWORD: bradrocks
Great resource:
toughpassword.com
Creates random passwords
GOOD PASSWORD: S-gnop2D[6@8
WordPress will tell you
when you have it right

39.
Force SSL Login and Admin Access
define('FORCE_SSL_LOGIN', true);
Set the below option in wp-config.php to force SSL (https) on login
Set the below option in wp-config.php to force SSL (https) on all admin pages
define('FORCE_SSL_ADMIN', true);

40.
.htaccess lockdown
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from 67.123.83.59
allow from 123.123.123.123
1. Create a .htaccess file in your wp-admin directory
Only a user with the IP 67.123.83.59 or 123.123.123.123 can access wp-admin
2. Add the following lines of code: